Hey Buchan,Thanks alot for your help... it make sense now....during the configuration process , I modified the NSS service to consult the OpenLDAP server by adding the following lines in the /etc/nsswitch.conf filepasswd: files ldapshadow: files ldapgroup: files ldapSo ldap server is called for NSS lookup regardless of what authentication mechanism is used. got it

On
Monday
25
February
2008
20:52:08
Hamidreza
Hamedtoolloei
wrote:>
so
if
a
user
is
in
both
/etc/passwd
and
ldap,
linux
authentication
is
used.>
However,
if
a
user
is
ONLY
in
ldap
directory,
linux
authentication
fails>
and
ldap
is
called.
Analysing
the
case
that
a
user
is
only
in
the>
etc/passwd:>
In
this
case,
there
are
some
activities
in
the
ldap
site
which
I
dont>
understand.
If
a
user
is
only
in
etc/passwd
and
pam.d/system.auth
file>
says
call
ldap
only
if
linux
fails,
then
why
ldap
is
called
when
linux>
authentication
is
successful?

Because,
this
is
NOT
PAM.
It
is
a
NSS
lookup.
For
example,
when
you
type
'ls', the
filesystem
returns
the
uid
that
owns
the
files.
To
show
the
username
of the
owner,
the
c
library
invokes
a
function
from
nss,
to
look
up
the username.
This
has
nothing
to
do
with
pam.
In
a
similar
way,
group memberships
have
nothing
(much)
to
do
with
PAM,
but
with
nss.

>
You
say
this
is
expected...
but
if
I
understood
the
pam.d/system.auth
file>
correctly,
ldap
should
not
be
called
if
a
user
is
only
in
etc/passwd

We
can't
tell,
as
you
haven't
provided
your
/etc/nsswitch.conf
file,
and
none of
the
queries
from
your
log
look
like
pam_ldap,
they
look
more
like nss_ldap
...

Regards,Buchan

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.